It looks like a post request with an authenticity token that never changes during the session, so you can just post a new request with the same authenticity_token and invite_id, but with any value for new_score :)
you're right. honestly we didn't try at all to make it difficult to hack. figured that no matter what we did, anyone with decent skills should be able to hack it. after all you can see all the source code! (like jerry said in another comment, we're not a gaming company after all - it was just a fun little experiment) - excites me that it piqued people's interest enough to go poke around in the source code though! :)
The best way to prevent any sort of manipulation is a combination of two things: have a "maximum conceivable score" and regulate the scoring server side. Every time a "round" ends (ducks on the screen) send the data to the server, compare the score relative to the previous score and if it's ridiculous (eg: the max score they could get is 500 and it's 10,000) you dump the session for being fake.
The obvious flaw with this is people who just work out what your maximums are and then get the 100% score, but it discourages the ridiculous scores.
edit: one of your people said this below, disregard :-)
Looking at how this worked was quite interesting. I hadn't really played with the JS console before. Thanks for making a contest that wasn't totally secure. =)